------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 2 PID: 0 at lib/refcount.c:28 refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
Modules linked in:
CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.12.0-rc1-syzkaller-00046-g7ec462100ef9 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
Code: ff 89 de e8 78 1c fe fc 84 db 0f 85 66 ff ff ff e8 8b 1a fe fc c6 05 e0 7e b8 0b 01 90 48 c7 c7 40 4a d1 8b e8 17 03 bf fc 90 <0f> 0b 90 90 e9 43 ff ff ff e8 68 1a fe fc 0f b6 1d bb 7e b8 0b 31
RSP: 0018:ffffc90000858930 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff814e7329
RDX: ffff88801de88000 RSI: ffffffff814e7336 RDI: 0000000000000001
RBP: ffff88802ff899e4 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002
R13: 0000000000000000 R14: ffff88802ff899e4 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff88806a800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1510c532d0 CR3: 000000000df7c000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 __refcount_sub_and_test include/linux/refcount.h:275 [inline]
 __refcount_dec_and_test include/linux/refcount.h:307 [inline]
 refcount_dec_and_test include/linux/refcount.h:325 [inline]
 skb_unref include/linux/skbuff.h:1232 [inline]
 __sk_skb_reason_drop net/core/skbuff.c:1213 [inline]
 sk_skb_reason_drop+0x183/0x1a0 net/core/skbuff.c:1241
 kfree_skb_reason include/linux/skbuff.h:1262 [inline]
 kfree_skb include/linux/skbuff.h:1271 [inline]
 j1939_session_destroy+0x163/0x460 net/can/j1939/transport.c:282
 __j1939_session_release net/can/j1939/transport.c:294 [inline]
 kref_put include/linux/kref.h:65 [inline]
 j1939_session_put net/can/j1939/transport.c:299 [inline]
 j1939_xtp_rx_eoma+0x327/0x660 net/can/j1939/transport.c:1411
 j1939_tp_cmd_recv net/can/j1939/transport.c:2113 [inline]
 j1939_tp_recv+0xcb8/0xf50 net/can/j1939/transport.c:2161
 j1939_can_recv+0x78f/0xa50 net/can/j1939/main.c:108
 deliver net/can/af_can.c:572 [inline]
 can_rcv_filter+0x2a8/0x900 net/can/af_can.c:606
 can_receive+0x320/0x5c0 net/can/af_can.c:663
 can_rcv+0x1e2/0x280 net/can/af_can.c:687
 __netif_receive_skb_one_core+0x1b1/0x1e0 net/core/dev.c:5662
 __netif_receive_skb+0x1d/0x160 net/core/dev.c:5775
 process_backlog+0x443/0x15f0 net/core/dev.c:6107
 __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6771
 napi_poll net/core/dev.c:6840 [inline]
 net_rx_action+0xa92/0x1010 net/core/dev.c:6962
 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu kernel/softirq.c:637 [inline]
 irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1037 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1037
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:37 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:92 [inline]
RIP: 0010:default_idle+0xf/0x20 arch/x86/kernel/process.c:743
Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 63 ca 44 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90
RSP: 0018:ffffc90000197e08 EFLAGS: 00000202
RAX: 0000000000035f89 RBX: 0000000000000002 RCX: ffffffff8b21bdd9
RDX: 0000000000000000 RSI: ffffffff8b6cd040 RDI: ffffffff8bd19d40
RBP: ffffed1003bd1000 R08: 0000000000000001 R09: ffffed100d507025
R10: ffff88806a83812b R11: 0000000000000000 R12: 0000000000000002
R13: ffff88801de88000 R14: ffffffff905f2ac8 R15: 0000000000000000
 default_idle_call+0x6d/0xb0 kernel/sched/idle.c:117
 cpuidle_idle_call kernel/sched/idle.c:185 [inline]
 do_idle+0x32c/0x3f0 kernel/sched/idle.c:326
 cpu_startup_entry+0x4f/0x60 kernel/sched/idle.c:424
 start_secondary+0x222/0x2b0 arch/x86/kernel/smpboot.c:314
 common_startup_64+0x13e/0x148
 </TASK>
----------------
Code disassembly (best guess):
   0:	4c 01 c7             	add    %r8,%rdi
   3:	4c 29 c2             	sub    %r8,%rdx
   6:	e9 72 ff ff ff       	jmp    0xffffff7d
   b:	90                   	nop
   c:	90                   	nop
   d:	90                   	nop
   e:	90                   	nop
   f:	90                   	nop
  10:	90                   	nop
  11:	90                   	nop
  12:	90                   	nop
  13:	90                   	nop
  14:	90                   	nop
  15:	90                   	nop
  16:	90                   	nop
  17:	90                   	nop
  18:	90                   	nop
  19:	90                   	nop
  1a:	90                   	nop
  1b:	f3 0f 1e fa          	endbr64
  1f:	eb 07                	jmp    0x28
  21:	0f 00 2d 63 ca 44 00 	verw   0x44ca63(%rip)        # 0x44ca8b
  28:	fb                   	sti
  29:	f4                   	hlt
* 2a:	fa                   	cli <-- trapping instruction
  2b:	c3                   	ret
  2c:	cc                   	int3
  2d:	cc                   	int3
  2e:	cc                   	int3
  2f:	cc                   	int3
  30:	66 66 2e 0f 1f 84 00 	data16 cs nopw 0x0(%rax,%rax,1)
  37:	00 00 00 00
  3b:	90                   	nop
  3c:	90                   	nop
  3d:	90                   	nop
  3e:	90                   	nop
  3f:	90                   	nop